Commit Graph

746 Commits (ab180fc648d331643aaf340c3cf7e92bcbb10bce)

Author SHA1 Message Date
Filippo Valsorda 4d318be195 [update] fix (unexploitable) BB'06 vulnerability in rsa_verify
The rsa_verify code was vulnerable to a BB'06 attack, allowing to forge
signatures for arbitrary messages if and only if the public key exponent is
3.  Since the updates key is hardcoded to 65537, there is no risk for
youtube-dl, but I don't want vulnerable code in the wild.

The new function adopts a way safer approach of encoding-and-comparing to
replace the dangerous parsing code.
Jaime Marquínez Ferrándiz e37afbe0b8 [YoutubeDL] urlopen: disable the 'file:' protocol ()
If someone is running youtube-dl on a server to deliver files, the user could input 'file:///some/important/file' and youtube-dl would save that file as a video giving access to sensitive information to the user.
'file:' urls can be filtered, but the user can use an URL to a crafted m3u8 manifest like:

    #EXTM3U
    #EXT-X-MEDIA-SEQUENCE:0
    #EXTINF:10.0
    file:///etc/passwd
    #EXT-X-ENDLIST

With this patch 'file:' URLs raise URLError like for unknown protocols.
Jakub Wilk dfb1b1468c Fix typos
Closes .
remitamine f11d00fa41 [test_subtitles] remove BlipTV test
Sergey M․ 6b77d52b1f [test_utils] Add tests for encode_compat_str
Yen Chi Hsuan db2fe38b55 [utils] Support alternative timestamp format in TTML
Fixes 
Yen Chi Hsuan d631d5f9f2 [utils] Fix TTML conversion
Tolerate invalid timestamps (closes )
Sergey M․ 31b2051e21 [utils] Add remove_quotes
Jaime Marquínez Ferrándiz 47f48f5d85 [test/test_all_urls] Update pbs extractor name
It's in lowercase now (since e15e2ef7a0).
Sergey M․ 9cb9a5df77 [utils] Check ext with trailing slash against the list of known extensions
Sergey M․ 5035536e3f [test_utils] Add tests for determine_ext
Sergey M․ 7aefc49c40 [utils] Skip invalid/non HTML entities (Closes )
Yen Chi Hsuan ff29bf81f8 [jsinterp] Support alternative function definition form
Yen Chi Hsuan 66d041f250 [test/subtitles] Add test for DemocracynowIE
Jaime Marquínez Ferrándiz 6a75040278 [utils] unified_strdate: Return None if the date format can't be recognized (fixes )
This issue was introduced with ae12bc3ebb, it returned 'None'.
Sergey M 30eecc6a04 Merge pull request from jaimeMF/xml_attrib_unicode
Use a wrapper around xml.etree.ElementTree.fromstring in python 2.x (…
Sergey M․ 578c074575 [utils] Support list of xpath in xpath_element
Sergey M․ 52c3a6e49d [utils] Improve parse_iso8601
Jaime Marquínez Ferrándiz f78546272c [compat] compat_etree_fromstring: also decode the text attribute
Deletes parse_xml from utils, because it also does it.
Jaime Marquínez Ferrándiz 387db16a78 [compat] compat_etree_fromstring: only decode bytes objects
Jaime Marquínez Ferrándiz 36e6f62cd0 Use a wrapper around xml.etree.ElementTree.fromstring in python 2.x ()
Attributes aren't unicode objects, so they couldn't be directly used in info_dict fields (for example '--write-description' doesn't work with bytes).
Jaime Marquínez Ferrándiz 65d49afa48 [test/test_download] Use extract_flat = 'in_playlist' for playlist items
Some playlist extractors return a 'url' result, which wouldn't be resolved.
Sergey M․ d01949dc89 [utils:js_to_json] Fix bad escape in double quoted strings
Sergey M․ 448ef1f31c [extractor/common] Allow angle brackets in attributes in _og_regexes ()
Sergey M․ 8e5b121948 [test_youtube_lists] Add test flat playlist entries' titles
Sergey M․ db0a8ad979 [test_InfoExtractor] Add test for unquoted attribute
Sergey M․ 1c29e81e62 [test_InfoExtractor] Add test for 7a6d76a64d
Jaime Marquínez Ferrándiz 7d0ada5ff9 [test/helper] Fix style
Use the correct indentation to please flake8
Sergey M․ f88f1b40ce [test/helper] Clarify field for list length mismatch
Sergey M․ 386a7b52d5 [test/helper] Spelling
Sergey M․ 2e885de796 [test/helper] Formatting
Qijiang Fan 687c04cbb8 [test] use descriptive variable name
Qijiang Fan 40c931de4b [test] split expect_dict to two functions
Qijiang Fan 93bc7ef165 [test] recursively check dict and list in expect_info_dict
This allows to use md5:, re:, etc within the str inside a list
or dict.
Sergey M․ c6aa838b51 [youtube:history] Enable exractor
Jaime Marquínez Ferrándiz f005f96ea5 [youtube:history] Explain why it has disabled and skip test
remitamine c67a055d16 [test/test_write_annotations] fix test filename
Closes 
Sergey M․ 3513d41436 [test_compat] Fix typo
Sergey M․ ee087c79ad [test_compat] Add test for compat_shlex_split
Sergey M․ f71264490c [test_utils] Add tests for cli option converters
Sergey M․ 87f70ab39d [test_utils] Add more tests for xpath
Yen Chi Hsuan f908b74fa3 [test/subtitles] Add test for ThePlatformFeedIE
Sergey M․ 8e2b1be127 [test/helper] Make age_limit checkable field
Sergey M. d5d7bdaeb5 Merge pull request from dstftw/improve-generic-smil-support
Improve generic SMIL support
Jaime Marquínez Ferrándiz 232541df44 [YoutubeDL] format spec: correctly handle dashes and other unused operators
'mp4-baseline-16x9' must be handled as a single string, but the '-' was treated as an operator.
Jaime Marquínez Ferrándiz d96d604e53 YoutubeDL: format spec: don't accept a bare '/' ()
Jaime Marquínez Ferrándiz 03950c90f7 Merge remote-tracking branch 'jaimemf/format_spec_groups' (closes )
Sergey M․ 645f814544 [test/helper] Allow dicts for mincount
Sergey M․ 308cfe0ab3 [test_downloader] Respect --force-generic-extractor
Sergey M․ ee114368ad [utils] Make value optional for find_xpath_attr
This allows selecting particular attributes by name but without specifying the value and similar to xpath syntax `[@attrib]`